The command (curl) downloaded a script (diagnostic.sh) to your machine and the bash -c ran it. I suspect it prompted for your password. If you provided it, then it looks like the script did the following:
- Ran the whoami command to get your user name - stored in variable username
- Ran a while loop to request your local password and verify it. If incorrect it would prompt to re-enter. If correct it wrote it out to /tmp/.pass. Note, the file .pass is hidden (any file/folder that starts with a . is hidden in the Finder).
- Once it has access to your password (in the .pass file), it then curled a payload called update and stored it in /tmp/update.
- Next, it removed any extension attributes from update - this likely cleared the quarantine flag to allow it to run without warning
- Next, it ran chmod to make update executable
- And then it curled a MacKeeper.pkg installer and then opened it to install it.
All of this is no good. At the very least, you have the following created on your machine that you should get rid of:
/tmp/.pass
/tmp/update
/tmp/MacKeeper.pkg
I suspect the payload has generated more junk on your machine so you should also look in /Library/LaunchDaemons, /Library/LaunchAgents, and ~/Library/LaunchAgents. Check your Applications folder for MacKeeper and put it in the Trash. Also, check your /Users/Shared folder and the entirety of the /tmp folder for more junk. If you find launch files, view them with QuickLook (select file and tap spacebar) to see what the files are launching. Follow the paths and purge the unwanted files.
Also, if your local Mac password is the same as your Apple ID, you might want to consider changing your Apple ID password. Your password is not in plain text in the .pass file. This means that any future unwanted payload can run with elevate permissions. But it also means that if there is a process that sends your password out, your password is now compromised.
Good luck. Clean up and trust no one.
